Globalprotect client config - force push portal config update?

Reply
Highlighted
L3 Networker

Globalprotect client config - force push portal config update?

We rolled out a vpn solution with “on-demand” login. This has proved successful and we now wish to convert the configuration to be “always on”

I have changed the portal configuration to “prelogon always on”, but the clients do not pick up this config change unless they manually initiate an “on-demand” connection first. Then the portal config changes get pushed to the client.

What I am looking for is a way to force the client config to update to be always on without the user initiating a manual on demand connection to pull the new config.

How can I achieve this?
Highlighted
Cyber Elite

Re: Globalprotect client config - force push portal config update?

The problem is the client has a set config and given that the current state or previous state was "on-demand" any change you make on the firewall side won't be made to the client until they connect.

 

The only way to get this update on the clients without them connecting in is to modify the client machine directly:

 

 

Here's the high level:

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the...

 

 

Here's some more specific config parameters:

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the...

 

Finally (from the above link) here's the link on how to make the change to the client you want:

 

https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-guide/set-up-the...

Highlighted
L3 Networker

Re: Globalprotect client config - force push portal config update?

Excellent! I’ll liaise with the team tomorrow and see if we can get this pushed out via gp or something
Highlighted
Cyber Elite

Re: Globalprotect client config - force push portal config update?

I used these with my SCCM team and they pushed out the relevant config and it worked great.

Highlighted
L3 Networker

Re: Globalprotect client config - force push portal config update?

where within the registry would i deploy these keys? for example if i wanted initial state to be prelogon always on:

 

connect-method on-demand | pre-logon | user-logon

Highlighted
L2 Linker

Re: Globalprotect client config - force push portal config update?

The path to the registry setting is here.

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings

 

The key value is connect-method

The value data is either on-demand, pre-logon, or user-logon

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!